Permissions

Control which tools each agent can use — allow, ask, or deny per tool, with per-agent overrides.

The permission layer lets you control which tools agents can call. It sits between the agent and tool dispatch — every tool call passes through permission checks before execution.

Three permission levels

Level	Behavior
`allow`	Tool executes immediately (default for all tools)
`ask`	Tool call blocks the task; an inbox item is created for user approval
`deny`	Tool call is rejected with an error message

Configuration

Permissions are set in walrus.toml under the [permissions] section:

# Global defaults — apply to all agents
[permissions]
bash = "ask"
write = "deny"

# Per-agent overrides
[permissions.researcher]
bash = "deny"
read = "allow"

Resolution order

When an agent calls a tool, the permission is resolved in this order:

Agent-specific override — [permissions.<agent-name>] table
Global default — top-level [permissions] entry
Built-in default — allow

The first match wins. If no entry exists at any level, the tool is allowed.

How `ask` works

When a tool has ask permission:

The agent pauses and waits for user approval
An inbox item is created with the tool name and arguments
The user responds with approved or denied
If approved, the tool executes normally; if denied, the agent receives an error

The ask permission only works within a task context. In a direct REPL session (no task), ask falls back to allow.

What's next

Tasks — how ask integrates with task blocking
Configuration reference — full [permissions] field reference

Search

Meta search engine service — DuckDuckGo and Wikipedia with consensus ranking, no API keys required.

CLI Reference

All OpenWalrus CLI commands — attach, daemon, hub, task, and session management.

On this page

Three permission levels Configuration Resolution order How ask works What's next